Bug 224179

Summary:

BidiContext caching is not thread-safe

Product:

WebKit

Reporter:

Chris Lord <clord>

Component:

WebCore Misc.

Assignee:

Chris Lord <clord>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

darin, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

183720, 186759

Attachments:

Description	Flags
Patch	none
Patch	none

Description Chris Lord 2021-04-05 02:42:04 PDT

I'm not sure how this escaped, I thought I'd dealt with it in my branch but here we are. Debug mode crashes when using text with OffscreenCanvas because of the ref/deref thread check in BidiContext. Workers need to use uncached contexts or it needs to be thread-safe.

Comment 1 Chris Lord 2021-04-05 03:50:41 PDT

Created attachment 425144 [details]
Patch

Comment 2 Darin Adler 2021-04-05 16:56:30 PDT

Comment on attachment 425144 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425144&action=review

> Source/WebCore/platform/text/BidiContext.cpp:65
> +            static BidiContext* ltrContext;
> +            static std::once_flag ltrContextOnceFlag;
> +            std::call_once(ltrContextOnceFlag, [&]() {
> +                ltrContext = &createUncached(0, U_LEFT_TO_RIGHT, false, FromStyleOrDOM, 0).leakRef();
> +            });
> +            return *ltrContext;

I think the superior idiom is something more like this that does not use leakRef:

    static NeverDestroyed<RefPtr<BidiContext>> ltrContext;
    static std::once_flag ltrContextOnceFlag;
    std::call_once(ltrContextOnceFlag, [&]() {
         ltrContext = createUncached(0, U_LEFT_TO_RIGHT, false, FromStyleOrDOM, 0);
    });
    return *ltrContext.get();

Comment 3 Chris Lord 2021-04-06 02:12:10 PDT

(In reply to Darin Adler from comment #2)
> Comment on attachment 425144 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=425144&action=review
> 
> > Source/WebCore/platform/text/BidiContext.cpp:65
> > +            static BidiContext* ltrContext;
> > +            static std::once_flag ltrContextOnceFlag;
> > +            std::call_once(ltrContextOnceFlag, [&]() {
> > +                ltrContext = &createUncached(0, U_LEFT_TO_RIGHT, false, FromStyleOrDOM, 0).leakRef();
> > +            });
> > +            return *ltrContext;
> 
> I think the superior idiom is something more like this that does not use
> leakRef:
> 
>     static NeverDestroyed<RefPtr<BidiContext>> ltrContext;
>     static std::once_flag ltrContextOnceFlag;
>     std::call_once(ltrContextOnceFlag, [&]() {
>          ltrContext = createUncached(0, U_LEFT_TO_RIGHT, false,
> FromStyleOrDOM, 0);
>     });
>     return *ltrContext.get();

Funny, I played with this exact structure and not sure why I didn't settle with it... Anyway, I agree, will change.

Comment 4 Chris Lord 2021-04-06 02:12:42 PDT

Created attachment 425255 [details]
Patch

Comment 5 EWS 2021-04-06 02:59:41 PDT

Committed r275500: <https://commits.webkit.org/r275500>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 425255 [details].

Comment 6 Radar WebKit Bug Importer 2021-04-06 03:00:19 PDT

<rdar://problem/76259907>